Feature #5630: Reproducible builds
Document reproducible release process
We need to update the release process documentation to take care of reproducible ISOs and IUKs.
Release process: fetch the ISO from Jenkins and ensure it matches the signature created by the release manager (refs: #12629).
- Target version set to Tails_3.2
I see two main aspects here, that I'll discuss first for ISOs and then for IUKs.
For the ISO image:
- ensure at least N entities produced the same ISO: developers laptop? CI infra? where do we set the bar?
- avoid having to upload the ISO at release time, and while we're at it, fix the "Upload images" section of the release process doc )AFAIK no RM has actually followed it as-is since years); so, instead of pretending we seed the ISO and then copy it from bittorrent.lizard to rsync.lizard, we should probably instead:
- scp the detached signature to rsync.lizard
- ssh rsync.lizard and wget the ISO built by Jenkins
- verify the detached signature
- scp the Torrent to bittorrent.lizard
- ssh bittorrent.lizard, wget the ISO built by Jenkins, add to Transmission
- "ensure at least N entities produced the same" still applies, modulo we don't build them on our CI so only developers can reproduce them;
- regarding publication, it's a bit more subtle since we don't build them on our CI so one needs to upload them (which apparently is not documented yet BTW).
Out of personal interest I might give "avoid having to upload the ISO" a try during the 3.0 release process, in which case I'll probably draft the needed changes in a branch; then anonym can test & polish them.